Notebook
Elasticsearch reference architecture for Agentic applications
This notebook in a guide application for building agentic applications using Elasticsearch Agentic Builder as tool provider and LangChain with LangGraph as workflow engine. This notebook is based on the Elastic Labs Blog post Elasticsearch reference architecture for Agentic applications.
Use Case: Security Vulnerability Agent
The Security Vulnerability Agent identifies potential risks based on a user's question by combining three complementary layers:
- Semantic search with embeddings over an internal knowledge base of past incidents, configurations, and known vulnerabilities to retrieve relevant historical evidence.
- Internet search for newly published advisories or threat intelligence that may not yet exist internally.
- LLM correlation that correlates and prioritizes both internal and external findings, evaluates their relevance to the user's specific environment, and produces a clear explanation along with potential mitigation steps.
Install dependencies and importing packages
Environment Setup
Throughout the application we use common items such as the Elasticsearch client and environment variables.
Elasticsearch Client
Initialize the Elasticsearch client to interact with your Elasticsearch cluster.
Agent Builder Tool Creation
Create a tool specialized in security queries that will perform semantic search. This tool will be available through the Agent Builder MCP server.
Index Mapping
To define the data structure, we need to create an index with appropriate mappings. We are creating a semantic_text field to perform semantic search using the information from the fields marked with the copy_to property. This enables the ELSER model to generate embeddings for semantic search.
Data Ingestion
With the mapping definition, we can ingest the data using the bulk API.
LangChain MCP Client
Here we create an MCP client using LangChain to consume the Agent Builder tools. The Agent Builder MCP server is available at {KIBANA_URL}/api/agent_builder/mcp and exposes Elasticsearch data and Agent Builder tools, acting strictly as a tools provider.
Agent Creation
Create an agent that selects the appropriate tool based on the user input. The agent is configured with a system prompt that defines it as a cybersecurity expert specializing in infrastructure security.
Agent State Definition
We define the application state. This state will be passed through the LangGraph workflow nodes, allowing each node to read and update the state as needed.
Internet Search Tool
Create a tool that searches the internet for newly published advisories or threat intelligence that may not yet exist internally. This tool uses the Serper API to search external sources for CVE, advisories, and security intelligence.
LangGraph Workflow Nodes
We use LangGraph to define a workflow capable of making decisions, running tool calls, and summarizing results. The workflow consists of four main nodes:
- call_agent_builder_semantic_search: Queries internal documentation using the Agent Builder MCP server and stores the retrieved messages in the state.
- decide_internet_search: Analyzes the internal results and determines whether an external search is required.
- perform_internet_search: Runs an external search using the Serper API when needed.
- generate_final_response: Correlates internal and external findings and produces a final, actionable cybersecurity analysis for the user.
Workflow Definition
With the workflow nodes defined, we can now build the LangGraph workflow. The workflow connects the nodes with edges and conditional routing logic. The workflow starts with an internal search, then decides whether external search is needed, and finally generates a comprehensive response that correlates both internal and external findings.
Generating the workflow diagram image (optional)
Query execution
In this section we execute the workflow with a sample query.